Designing a Location Trace Anonymization Contest

Takao Murakami (AIST)∗ Hiromi Arai (RIKEN) Koki Hamada (NTT)Takuma Hatano (NSSOL) Makoto Iguchi (Kii Corporation)

Hiroaki Kikuchi (Meiji University) Atsushi Kuromasa (Fujitsu Cloud Technologies)Hiroshi Nakagawa (RIKEN) Yuichi Nakamura (Waseda University)

Kenshiro Nishiyama (BizReach, Inc.) Ryo Nojima (NICT)Hidenobu Oguri (Fujitsu Laboratories Ltd.)

Chiemi Watanabe (Tsukuba University of Technology) Akira Yamada (KDDI Research, Inc.)Takayasu Yamaguchi (Akita Prefectural University) Yuji Yamaoka (Fujitsu Laboratories Ltd.)

AbstractFor a better understanding of anonymization methods for lo-cation traces, we have designed and held a location traceanonymization contest. Our contest deals with a long trace(400 events per user) and fine-grained locations (1024 re-gions). In our contest, each team anonymizes her originaltraces, and then the other teams perform privacy attacksagainst the anonymized traces in a partial-knowledge attackermodel where the adversary does not know the original traces.To realize such a contest, we propose a location synthesizerthat has diversity and utility; the synthesizer generates dif-ferent synthetic traces for each team while preserving vari-ous statistical features of real traces. We also show that re-identification alone is insufficient as a privacy risk and thattrace inference should be added as an additional risk. Specifi-cally, we show an example of anonymization that is perfectlysecure against re-identification and is not secure against traceinference. Based on this, our contest evaluates both the re-identification risk and trace inference risk and analyzes theirrelationship. Through our contest, we show several findingsin a situation where both defense and attack compete together.In particular, we show that an anonymization method secureagainst trace inference is also secure against re-identificationunder the presence of appropriate pseudonymization.

1 Introduction

Location-based services (LBS) such as POI (Point of Interest)search and route finding have been widely used in recent years.As a result, a large amount of location traces (time-series lo-cation trails) are accumulating in a data center of the LBSprovider. These traces can be provided to a third party to per-form various geo-data analysis tasks such as mining popularPOIs [68], auto-tagging POI categories (e.g., restaurants, ho-tels) [19, 65], and modeling human mobility patterns [37, 58].∗The first author contributed to a design of the contest, the location syn-

thesizer in Sections 3 and 4, and experimental evaluation in Section 6.1 andappendices. The other authors contributed to a design of the contest and areordered alphabetically.

However, the use of location traces raises a serious pri-vacy concern. For example, there is a risk that the traces areused to infer social relationships [6, 23] or hospitals visitedby users. Some studies have shown that even if the tracesare pseudonymized, original user IDs can be re-identifiedwith high probability [24, 41, 42]. This fact indicates that thepseudonymization alone is not sufficient and anonymizationis necessary before providing traces to a third party. In thecontext of location traces, anonymization consists of locationobfuscation (e.g., adding noise, generalization, and deletingsome locations) and pseudonymization.

Finding an appropriate anonymization method for locationtraces is extremely challenging. For example, each locationin a trace can be highly correlated with the other locations.Consequently, an anonymization mechanism based on differ-ential privacy (DP) [21, 22] cannot guarantee high privacyand utility. More specifically, it is well known that DP witha small privacy budget ε (e.g., ε = 0.1 or 1 [36]) providesstrong privacy against adversaries with arbitrary backgroundknowledge. However, ε in DP increases with increase in thetrace length, which could lead to no meaningful privacy guar-antees or poor utility for a long trace [3, 51] (unless we limitthe adversary’s background knowledge [40, 63]).

Thus, there is still no conclusive answer on how to ap-propriately anonymize location traces, which motivates ourobjective of designing a contest.

Location Trace Anonymization Contest. To better under-stand anonymization methods for traces, we have designedand held a location trace anonymization contest called PWS(Privacy Workshop) Cup 2019 [2].

Our contest has two phases: anonymization phase and pri-vacy attack phase. In the anonymization phase, each teamanonymizes her original traces. Then in the privacy attackphase, the other teams obtain the anonymized traces and per-form privacy attacks against the anonymized traces. Basedon this, we evaluate privacy and utility of the anonymizedtraces for each team. In other words, we model the problemof finding an appropriate anonymization method as a gamebetween a designer of the anonymization method (each team)

1

arX

iv:2

107.

1040

7v2

[cs

.CR

] 1

Dec

202

1

and adversaries (the other teams). One promising feature ofour contest is that both defense and attack compete together,which is close to what happens in real life.

The significance of a location trace anonymization contestis not limited to finding appropriate anonymization methods.For example, it is useful for an educational purpose – ev-eryone can join the contest to understand the importance ofanonymization (e.g., why the pseudonymization alone is notsufficient) or to improve her own anonymization skill.

However, designing a location trace anonymization contestposes great challenges. Below we explain them.

Contest Dataset. The first issue is about a dataset used fora contest. To explain this issue, we review two types of theadversary’s background knowledge: maximum-knowledge at-tacker model and partial-knowledge attacker model [20, 53].The maximum-knowledge attacker model assumes that theadversary knows the original traces as background knowledge.The partial-knowledge attacker model assumes that the adver-sary does not know the original traces. In the latter model, thebackground knowledge can be, e.g., locations disclosed byusers via geo-social network services.

The maximum-knowledge attacker model is extremely pes-simistic about privacy and utility. For example, de Montjoye etal. [18] have shown that three locations in a trace are enoughto uniquely characterize about 80% of users amongst oneand a half million users. This indicates that we need to sacri-fice the utility (e.g., delete almost all locations from a trace)to prevent re-identification in the maximum-knowledge at-tacker model. However, the maximum-knowledge model isa worst-case model and is not a realistic one. For example,assume that the LBS provider provides anonymized tracesto a third party for geo-data analysis. In this case, the thirdparty would not know the original traces. Therefore, we fo-cus on the partial-knowledge attacker model and separate theadversary’s background knowledge from the original tracesas in [24, 42, 55].

The main challenge in designing a location traceanonymization contest in the partial-knowledge attackermodel is that public datasets (e.g., [15, 46, 64]) cannot bedirectly used for a contest. This issue comes from the factthat everyone can access to public datasets. In other words, ifwe use a public dataset for a contest, then every team wouldknow the original traces of the other teams, which leads tothe maximum-knowledge attacker model. It is also difficultto directly use a private dataset in a company due to privacyconcern.

To address this issue, we propose a location synthesizer thattakes location traces (called training traces) as input and out-puts synthetic traces for each team. In a nutshell, our locationsynthesizer randomly generates traces of virtual users whoare different from users in the input dataset (called trainingusers). The virtual users for each team are also different fromthe virtual users for the other teams. Each virtual user hasher own feature (e.g., someone lives in Manhattan; another

one commutes by train), which we call a user profile. Wetrain a distribution of user profiles from training traces, andrandomly sample a virtual user’s profile from the distribution.Then we synthesize a trace based on the user profile. Con-sequently, synthetic traces for each team are different fromtraining traces and from synthetic traces for the other teams.We call this key feature diversity of synthetic traces. We donot disclose each team’s original traces or user profiles tothe other teams. Thus, each team does not know the originaltraces of the other teams, i.e., the partial-knowledge attackermodel.

Our location synthesizer also provides high utility in thatsynthetic traces preserve various statistical features (e.g.,distribution of visit-fractions [19, 65], population distribu-tion [68], transition matrix [37, 58]) of training traces, whichis important for a contest to be realistic. To our knowledge,our synthesizer is the first to provide such diversity and utility(see Section 2 for details).

Note that if we use a private dataset in a company as train-ing traces, we need to protect the privacy of users in the privatedataset1. In Appendix A, we also show through experimentsthat our synthesizer protects privacy in that it is secure againstre-identification attacks [24, 55] and membership inferenceattacks [27, 54].Privacy Risks. The second issue is about privacy risks. Re-identification is acknowledged as a risk in the privacy litera-ture and data protection laws, including GDPR [61]. However,it is reported in [33] that if we consider only re-identificationas a privacy risk, then each team can easily cheat the contestby excessively anonymizing each record. This is called cheat-ing anonymization [33] (or excessive anonymization [49]).

In location traces, this can be explained as follows. Con-sider a dataset in Fig. 1. In this example, there are three users(v1, v2, and v3) and four types of discrete locations (x1, x2, x3,and x4). We add noise to their original traces so that obfus-cated traces of users v1, v2, and v3 are the same as the originaltraces of users v2, v3, and v1, respectively. Note that this islocation obfuscation rather than pseudonymization. Then wepseudonymize these traces so that pseudonyms 10001, 10002,and 10003 correspond to v1, v2, and v3, respectively.

This anonymization is seemingly insecure because it justshuffles the original traces in the same way as pseudonymiza-tion. However, this anonymization is secure against re-identification, unlike pseudonymization. Specifically, re-identification is defined as a problem of mapping pseudonymsto the corresponding user IDs [24, 41, 42, 55]. Now, consideran adversary who knows the original traces (i.e., maximum-knowledge attacker) or any other traces highly correlated withthe original traces (i.e., partial-knowledge attacker). This ad-versary would re-identify 10001, 10002, and 10003 as v2, v3,and v1, respectively. However, 10001, 10002, and 10003 ac-tually correspond to v1, v2, and v3, respectively, as explained

1In our contest, we used a public dataset [46] as training traces to synthe-size traces. Thus, the privacy issue did not occur.

2

��

��

��

������������ � ��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

�������������� ���

�����

��

��

��

��

��

��

��

��

��

��

��

��

���� ��������� � ��

��

��

��

��

��

��

��

��

��

��

��

��

��������� ������������

�����

�����

Figure 1: Cheating anonymization.

above. Therefore, this re-identification attack fails – the re-identification rate is 0

3 . This is caused by the fact that we exces-sively obfuscate the locations so that the shuffling occurs be-fore pseudonymization. Note that this shuffling can be viewedas a random permutation of user IDs before pseudonymiza-tion. Thus, the cheating anonymization is perfectly secureagainst re-identification in that the anonymized traces provideno information about user IDs; i.e., the adversary cannot findwhich permutation is correct.

We analyze the privacy property of this cheatinganonymization and show that this is not secure against a traceinference attack (a.k.a. tracking attack [55]), which infersthe whole locations in the original traces. Specifically, weshow through experiments that the adversary can recover theoriginal traces from anonymized traces without re-identifyingthem. Note that this is different from the vulnerability ofk-anonymity [39] and mix-zones [7] in that the cheatinganonymization is perfectly secure against re-identification asexplained above2. This strongly indicates that re-identificationalone is insufficient as a privacy risk and that trace inferenceshould be added as an additional risk.

Based on this, our contest evaluates both the re-identification risk and trace inference risk and analyzes theirrelationship. Through our contest, we show that an anonymiza-tion method secure against trace inference is also secureagainst re-identification under the presence of appropriatepseudonymization.

We also show many other findings based on our contest.First, we explain how winner defense and attack algorithmsdiffer from existing algorithms such as [4, 16, 24, 25, 41, 42,44, 55]. Second, we show that anonymized traces submittedby teams are useful for various applications such as POI rec-ommendation [38] and geo-data analysis. Third, since wedistribute different traces to each team, we evaluate the fair-ness of the contest in detail.

Our Contributions. In summary, we open the door to loca-tion trace anonymization contests in the partial-knowledgemodel. Our contributions are as follows:

• We propose a location synthesizer that randomly sam-ples a virtual user’s profile and synthesizes a trace basedon the user profile. This yields the diversity of synthetic

2k-anonymity is not perfectly secure against re-identification unless k isequal to the total number of records. The mix-zone is a kind of pseudonymiza-tion (not location obfuscation) that assigns many pseudonyms to a singleuser. Thus, it is vulnerable to re-identification, as explained in [7].

traces, which is necessary to hold a contest in the partial-knowledge attacker model. We also show that our synthe-sizer provides high utility in terms of various statisticalfeatures.

• We design and hold a location trace anonymizationcontest using our location synthesizer. Through ourcontest, we analyze the relationship between the re-identification risk and trace inference risk. We show twofindings: (i) there exists an algorithm that is perfectlysecure against re-identification and is not secureagainst trace inference; (ii) security against trace in-ference implies security against re-identification un-der the presence of appropriate pseudonymization.We believe these findings attract a broad interest, as re-identification is considered as a major risk in the liter-ature and laws, including GDPR [61]. We also reportwinner algorithms, analyze their utility in various appli-cations, and the fairness of our contest.

We published our location synthesizer as open-source soft-ware [1].Basic Notations. Let N,Z≥0, and R be the set of natural num-bers, non-negative integers, and real numbers, respectively.For a ∈ N, let [a] = {1,2, · · · ,a}. Let τ ∈ N be the number ofteams in a contest. We use these notations throughout thispaper.

2 Related Work

Location Synthesizer. A number of location synthesizers[9, 13, 14, 17, 26, 30, 32, 43, 59, 67] have been studied in theliterature. Bindschaedler et al. [9] showed that most of them(e.g., [17,30,32,59,67]) lack utility in that they do not preservestatistical features of original traces. Similarly, many existingsynthesizers (e.g., [10, 13, 14, 26]) generate synthetic tracesbased on parameters common to all users and do not provideuser-specific features such as “Alice often goes to a park.” and“Bob commutes by train.” Note that the user-specific featuresare necessary for an anonymization contest because otherwisethe adversary cannot re-identify traces. In other words, theadversary needs some user-specific features as backgroundknowledge to re-identify traces.

A handful of existing synthesizers [9, 43] preserve the se-mantic features and user-specific features. However, both [9]and [43] generate traces so that the i-th synthetic trace pre-serves the user-specific feature of the i-th training trace. Thus,they lack diversity; i.e., the i-th synthetic trace for the firstteam is similar to the i-th training trace and the i-th synthetictrace for the second team. To our knowledge, no existing syn-thesizers provide both utility and diversity explained above.Thus, no existing synthesizers can be used for our contest.

We address this issue by training a distribution of userprofiles and randomly generating a virtual user’s profile (user-specific feature) from the distribution.

3

Training Traces

Generative ModelVirtual User

ProfilesSynthetic

Traces

User Profile Distribution

1st Team

Virtual User Profiles

SyntheticTraces

-th Team

(i)

(ii) (iii)

(ii) (iii)

Figure 2: Overview of our location synthesizer. It consists ofthe following three steps: (i) training a generative model, (ii)sampling virtual user profiles, and (iii) generating synthetictraces.

Anonymization Contest. We also note that some anonymiza-tion contests have been held over a decade [28, 33, 34, 47, 48].The contests in [28, 33, 34, 47] do not deal with locationtraces. From October 2020 to June 2021 (after our contestin 2019), NIST held the Differential Privacy Temporal MapChallenge [48]. In this contest, participants compete for aDP algorithm for a sequence of location events over threesprints using public datasets. This contest deals with a smallsequence of events per individual (e.g., 7 events in sprint 2)or coarse-grained locations (e.g., 78 regions in sprint 3).

Our contest substantially differs from this contest in thatparticipants anonymize a long trace (400 events per individ-ual) with fine-grained locations (1024 regions) in our contest.In this case, it is extremely difficult to provide a small ε inDP for the whole trace [3, 51], as described in Section 1. Itis also extremely difficult to prevent re-identification in themaximum-knowledge attacker model [18], which is unrealis-tic and overly pessimistic. Therefore, we separate the back-ground knowledge of the adversaries from the original traces,and measure the privacy via the accuracy of re-identificationor trace inference as in [24, 42, 55]. In this case, a locationsynthesizer with utility and diversity is necessary.

In summary, we hold the first location anonymization con-test that deals with a long trace and fine-grained locationsusing the first location synthesizer providing utility and diver-sity.

3 Location Synthesizer for a Contest

In this section, we propose a location synthesizer that has di-versity and utility for an anonymization contest in the partial-knowledge attacker model. Our location synthesizer extendsthe location synthesizer in [43] called privacy-preservingmultiple tensor factorization (PPMTF) to randomly gener-ate virtual user profiles. Section 3.1 explains its overview.Section 3.2 reviews PPMTF. Section 3.3 explains the detailsof our location synthesizer.

3.1 Overview of Our Location SynthesizerFig. 2 shows the overview of our location synthesizer. It con-sists of the following three steps:

(i). We train a generative model from training traces. Thegenerative model includes a distribution of user profiles.Each user profile is represented as a multi-dimensionalvector. Thus, the user profile distribution is a multi-dimensional distribution. Each element in the vectorrepresents a feature such as “often go to a park” and“commute by train.”

(ii). For each team, we randomly sample profiles of virtualusers from the user profile distribution. As indicated bydifferent colors in Fig. 2, virtual users in each team havedifferent user profiles than the training users and virtualusers in the other teams.

(iii). We generate synthetic traces from the virtual user pro-files and the generative model.

The main novelty of our location synthesizer lies in the con-cept of diversity – synthetic traces for each team are differentfrom training traces and from synthetic traces for the otherteams. Technically, we achieve this feature by introducingstep (ii); i.e., we randomly sample profiles of virtual usersfrom the user profile distribution.

We extend the location synthesizer called privacy-preserving multiple tensor factorization (PPMTF) [43] to pro-vide diversity. It is shown in [43] that PPMTF preserves vari-ous statistical features of training traces, e.g., distribution ofvisit-fractions [19,65], population distribution [68], transitionmatrix [37, 58]. Our synthesizer preserves these statisticalfeatures as well. Thus, our synthesizer provides diversity andutility, both of which are necessary for an anonymization con-test in the partial-knowledge model.

Our location synthesizer is also scalable because samplingin step (ii) takes little time, e.g., much less than one secondeven using a laptop. For example, our synthesizer can synthe-size traces of about 200000 users within one day in the sameway as PPMTF.

3.2 PPMTFTwo Tensors. PPMTF [43] models various statistical featuresof training traces by two tensors: transition-count tensor andvisit-count tensor. Fig. 3 shows their examples. The transition-count tensor consists of a transition matrix for each traininguser. Thus, it models the movement pattern of each train-ing user. The visit-count tensor consists of a time-dependenthistogram of visited locations for each training user. Thus,it includes the information on a time-dependent populationdistribution.

Formally, let U be a finite set of training users, and ui ∈Ube the i-th training user. We discretize locations by dividing

4

� � �

� � �

� � �

� � �

� � �

� � � � �

� � � � �

� � � � �

� � � � �

� � � � �

� � �

� � �

� � �

� � �

� � �

� � � � �

� � � � �

� � � � �

� � � � �

� � � � �

��

��

��

��

��

��

��

��

��

��

��

��

��

�������������������

��

��

��

��� ��� ��

� ��� ��������� � �

�� ������ ��

��

��

��

��

��

�� �������

���������������

��������

� � � � �

� � � � �

� � � � �

� � � � �

� � � � �

��������

�������������

����������

���������

��������

���������

��

��

��

��

��

����������

� � �

� � �

� � �

� � �

� � �

��

���

�

��

Figure 3: Example of training traces and two tensors. A train-ing trace may include missing locations (marked with gray).

A

C D

B

Time Slot

Loc

atio

n

Next Location

User

MTF (Multiple TensorFactorization)

User un TimeSlots

Visit-probabilityVectors

l1

l3

Synthetic Traces

TransitionMatrices

l2

x2 x3 x3 x3 x4

Time Slots l1 l2 l3

x5User un

Training Traces

Figure 4: Overview of PPMTF.

a target area into smaller regions or by extracting POIs. LetX be a finite set of locations, and xi ∈ X be the i-th location.We also discretize time into time instants and represent a timeinstant as a natural number. We also introduce a set of timeinstants called a time slot. The time slot plays a role as atime resolution at which we want to preserve a populationdistribution of training traces. Let L be a finite set of timeslots, and li ∈L be the i-th time slot; e.g., l1 = {1,2} in Fig. 3.

Let RI ∈ Z|U|×|X |×|X |≥0 be the transition-count tensor and

RII ∈ Z|U|×|X |×|L |≥0 be the visit-count tensor. Let rIi, j,k be the

(i, j,k)-th element of RI, and rIIi, j,k be the (i, j,k)-th element

of RII. For example, rI1,2,3 = 1 and rII

1,3,2 = 2 in Fig. 3 becauseuser u1 moves from x2 to x3 once and visits x3 twice in timeslot l2. Let R = (RI,RII) be the two tensors.

Algorithm. Fig. 4 shows the overview of PPMTF.First, PPMTF calculates two tensors R from training traces,

and factorizes R using multiple tensor factorization (MTF)[31, 60]. MTF is a technique that simultaneously factorizesmultiple tensors into low-rank matrices called factor ma-trices along each mode (axis). Let z ∈ N be the numberof columns (i.e., factors) in each factor matrix. MTF fac-torizes R = (RI,RII) into four factor matrices A ∈ R|U|×z,B ∈R|X |×z, C ∈R|X |×z, and D ∈R|L |×z along “User,” “Loca-tion,” “Next Location,” and “Time Slot” modes, respectively.Note that MTF shares A and B between the two tensors.From (A,B,C,D), PPMTF reconstructs two low-rank tensorsR = (RI, RII) that approximate R = (RI,RII). See [43] forthe details of calculating A, B, C, D, and R.

Based on R, PPMTF generates synthetic traces of userui ∈U as follows. First, it calculates a visit-probability vectorπi, j ∈ [0,1]|X | of user ui for each time slot l j ∈ L by normaliz-

ing counts to probabilities in the i-th matrix of RII. Similarly,it calculates a transition-probability matrix Q∗i ∈ [0,1]|X |×|X |

of user ui by normalizing counts to probabilities in the i-thmatrix of RI. Then it modifies Q∗i to Qi, j via the Metropolis-Hastings algorithm [45] so that the stationary distribution ofQi, j is equal to πi, j. Then it generates a synthetic trace of uiby randomly sampling locations using (πi, j,Qi, j).

3.3 Details of Our Location SynthesizerSampling User Profiles. In PPMTF, each column of A, B,C, and D represents a cluster. For example, assume that thefirst columns of B, C, and D have large values in bars, bars,and night, respectively. Then elements with large values inthe first column of A represent a cluster of users who go to abar at night. Thus, the i-th row of A (z-dim vector) is a userprofile of ui – each element represents a feature such as “go toa bar at night” and “go to a park at noon.” From this, PPMTFgenerates a synthetic trace that resembles the training traceof ui. Consequently, it lacks diversity; i.e., the i-th synthetictrace for the 1st team is similar to the i-th training trace andi-th synthetic trace for the 2nd team.

We address this issue by introducing a distribution of userprofiles and sampling new user profiles from the distribution.Specifically, let ai ∈ Rz be the i-th row of A. We assume thateach row of A is independently generated from a multivariatenormal distribution:

p(A|ΨA) = ∏|U|i=1 N (ai|µA,Λ

−1A ) (1)

where µA ∈ Rz is a mean vector and ΛA ∈ Rz×z is a precision(inverse covariance) matrix. N (ai|µA,Λ

−1A ) denotes the prob-

ability of ai in the normal distribution with mean vector µAand covariance matrix Λ

−1A . Let ΨA = (µA,ΛA). ΨA forms a

user profile distribution.We train (ΨA,B,C,D) from two tensors R via posterior

sampling [62], which samples (ΨA,B,C,D) from its posteriordistribution given R. Note that PPMTF also samples ΨA totrain A. However, PPMTF discards ΨA after training and uses(A,B,C,D) as a generative model. In contrast, our synthesizerdoes not discard ΨA. It uses (ΨA,B,C,D) as a generativemodel.

Based on ΨA, we randomly sample new user profiles. For-mally, let Pt be the t-th team. Let m ∈ N be the number ofvirtual users for each team. m can be different from the num-ber |U| of training users. We randomly sample a new fac-tor matrix A(t) ∈ Rm×z (m virtual user profiles) for team Pt .Specifically, let a(t)i ∈ Rz be the i-th row of A(t), i.e., the i-thvirtual user profile in team Pt . We randomly sample a(t)i asfollows:

a(t)i ∼N (·|µA,Λ−1A ), (2)

where N (·|µA,Λ−1A ) denotes the normal distribution with

mean vector µA and covariance matrix Λ−1A . Note that we

5

Training Traces

GenerativeModel

Virtual User Profiles

SyntheticTraces

1st Team

Virtual User Profiles

SyntheticTraces

-th Team

(i)

(ii) (iii)

(ii) (iii)

Tensors

Figure 5: Details of our location synthesizer. It consists ofthree steps: (i) train (ΨA,B,C,D) from R, (ii) sample A(t)

for team Pt based on ΨA (t ∈ [τ]), and (iii) generate synthetictraces for team Pt using (A(t),B,C,D). ΨA is a user profiledistribution.

do not use two tensors R in (2). PPMTF trains A based on ΨAand R so that A preserves the feature of training users. In con-trast, we randomly sample a(t)i based on ΨA, independentlyof R.

Since each user profile a(t)i is independently and randomlysampled, each virtual user has a different user profile thanthe training users and the other virtual users. This yields thediversity. In addition, both ai and a(t)i follow the normal distri-bution with parameter ΨA = (µA,ΛA) (see (1) and (2)). Thus,A(t) preserves very similar statistical features to A. Conse-quently, our synthetic traces provide high utility in terms ofvarious statistical features in the same way as PPMTF.Algorithm. Fig. 5 shows the details of our location synthe-sizer. It consists of the following three steps:

(i). We train (ΨA,B,C,D) from two tensors R by posteriorsampling [62].

(ii). For each team Pt , we randomly sample a new factormatrix A(t) (m virtual user profiles) by (2).

(iii). For each team Pt , we generate synthetic traces of m vir-tual users using (A(t),B,C,D).

In step (iii), we generate synthetic traces in the same way asPPMTF. Specifically, we reconstruct two low-rank tensorsfrom (A(t),B,C,D). Then for each virtual user, we calculatevisit-probability vectors and transition matrices and generatea synthetic trace from them.

Our synthesizer differs from PPMTF in two ways. First,we use (ΨA,B,C,D) as a generative model, whereas PPMTFuses (A,B,C,D). Second, we introduce step (ii) (i.e., sam-pling of virtual user profiles) to provide diversity. Our syn-thesizer is as scalable as PPMTF because step (ii) takes littletime.

4 Evaluation of Synthesizers

4.1 Experimental Set-upDataset. We evaluated the diversity and utility of our locationsynthesizer using the Foursquare dataset in [64]. Following

[64], we selected six cities with many check-ins and withcultural diversity: Istanbul (IST), Jakarta (JK), New York City(NYC), Kuala Lumpur (KL), San Paulo (SP), and Tokyo (TKY).For each city, we selected 1000 popular POIs for which thenumber of visits from all users was the largest (|X |= 1000).We set the time interval between two time instants to onehour by rounding down minutes. Then we assigned everytwo time instants to one of 12 time slots l1 (0-2h), · · · , l12(22-24h) in a cyclic manner (|L | = 12). For each city, werandomly selected 80% of users as training users and used theremaining users as testing users. The traces of testing userswere used for evaluating a baseline (the utility of real traces).The numbers of training users in IST, JK, NYC, KL, SP, andTKY were |U| = 219793, 83325, 52432, 51189, 42100, and32056, respectively.Synthesizers. We generated synthetic traces using our pro-posed synthesizer (denoted by Proposal). We set the number zof factors to z = 16 (in the same way as [43]) and the numberτ of teams to τ = 2. Then we generated the same numberof virtual user profiles as training users (m = |U|). For eachvirtual user, we generated one synthetic trace with the lengthof 20 days.

For comparison, we generated the same amount of syn-thetic traces using PPMTF [43]. As another baseline, we alsoevaluated the following synthesizer. We first calculated a tran-sition matrix for each time slot (|L |× |X |× |X | elements intotal) from training traces via maximum likelihood estimation.Then we generated synthetic traces by randomly samplinglocations using the transition matrix. We denote this synthe-sizer by TransMat. This is a special case of the synthetic datagenerator in [10] where the generative model is independentof the input data record (see [43] for details). TransMat gen-erates traces only based on parameters common to all usersand does not preserve user-specific features. Thus it lacksutility, as shown in our experiments. We do not evaluate othersynthesizers such as [13, 14, 26], because they also generatetraces only based on parameters common to all users and havethe same issue.

We also note that a location synthesizer in [9] lacks scala-bility and cannot be applied to the Foursquare dataset; e.g., itrequires over four years to generate traces in IST even using asupercomputer [43].Diversity Metrics. For diversity, we evaluated whether the i-th synthetic trace for the 1st team is similar to the i-th synthetictrace for the 2nd team.

Specifically, we first randomly selected 2000 virtual usersfrom m virtual users. Without loss of generality, we denotethe selected user IDs by 1, · · · ,2000. We calculated a popula-tion distribution (|X |-dim vector) for each virtual user. Thenwe evaluated the average total variance between the distri-bution of the i-th user in the first team and that of the i-th(resp. (1000+ i)-th) user in the second team (1≤ i≤ 1000),which is denoted by Same-TV (resp. Diff-TV). If Same-TV issmaller than Diff-TV, the synthesizer lacks diversity.

6

Note that Proposal clearly has diversity because it indepen-dently and randomly samples each virtual user profile by (2).The purpose here is to quantitatively show that PPMTF lacksdiversity.

Utility Metrics. For utility, we evaluated a distribution ofvisit-fractions, time-dependent population distribution, andtransition matrix in the same way as [43].

The distribution of visit-fractions is a key feature for auto-tagging POI categories (e.g., restaurants, hotels) [19, 65]. Forexample, many people spend 60% of the time at home and20% of the time at work/school [19]. To evaluate such afeature, we did the following. For each training user, we com-puted a fraction of visits for each POI. Then we computed adistribution of visit-fractions for each POI by dividing the frac-tion into 24 bins: (0, 1

24 ],(124 ,

224 ], · · · ,(

2324 ,1). Then we com-

puted a distribution of visit-fractions from synthetic traces inthe same way. Finally, we evaluated the total variance betweenthe two distributions (denoted by VF-TV).

The population distribution is a basic statistical feature. Forexample, it is used for mining popular POIs [68]. Thus, foreach time slot, we calculated a frequency distribution (|X |-dim vector) of training traces and that of synthetic traces. Foreach time slot, we extracted the top 50 POIs whose frequen-cies in the training traces were the largest and regarded thefrequencies of the remaining POIs as 0. Then we evaluatedthe average total variance between the two time-dependentpopulation distributions over all time slots (TP-TV-Top50).

The transition matrix is a basic feature for modeling humanmobility patterns [37, 58]. In our experiments, we calculatedan average transition matrix (|X |× |X | matrix) over all usersand all time instants. We calculated the transition matrix oftraining traces and that of synthetic traces. Each row of thetransition matrix represents a conditional distribution. Thus,we evaluated the Earth Mover’s Distance (EMD) between thetwo conditional distributions [9], and took an average over allrows (TM-EMD). Since the two-dimensional EMD is compu-tationally expensive, we calculated the sliced 1-Wassersteindistance [11,35]. The sliced 1-Wasserstein distance generatesa lot of random projections of the 2D distributions to 1D dis-tributions, and calculates the average EMD between the 1Ddistributions.

4.2 Experimental Results

Diversity. We first evaluated the diversity of Proposal andPPMTF. Fig. 6 shows the results. In PPMTF, Same-TV issmaller than Diff-TV, which means that the i-th synthetic tracefor the 1st team is similar to the i-th synthetic trace for the2nd team. Thus, PPMTF lacks diversity. In contrast, Same-TVis almost the same as Diff-TV (their difference is much smallerthan 0.1 times the standard deviation) in Proposal. This isbecause Proposal independently samples each virtual userprofile.

IST JK NYC KL SP TKY

0.08

Same/Diff-TV

0.06

0

Same-TVDiff-TV

0.07

0.05

0.030.04

0.010.02

(a) PPMTF (b) Proposal

IST JK NYC KL SP TKY

0.08

Same/Diff-TV

0.06

0

Same-TVDiff-TV

0.07

0.05

0.030.04

0.010.02

Figure 6: Diversity of PPMTF and Proposal. The error barshows 0.1× the standard deviation over 1000 pairs of users.

0.75

VF-TV 0.6

0.450.30.150

0.25

TP-TV-Top50

0.20.150.10.050

Uniform TransMat PPMTF RealProposal

IST JK NYC

TM-EMD

4

32

10

0.25

TP-TV-Top50

0.20.150.10.050 KL SP TKY

IST JK NYC0.75

VF-TV 0.6

0.450.30.150 KL SP TKY

IST JK NYC

TM-EMD

4

3

2

1

0 KL SP TKY

Figure 7: Utility of each location synthesizer. Lower is betterin all metrics.

Utility. We next evaluated the utility. Fig. 7 shows the results.Here, we evaluated each utility metric for each of 20 daysin the 1st team and averaged it over 20 days. Uniform is theutility when all locations in synthetic traces are independentlysampled from a uniform distribution. Real is the utility of thetraces of testing users, i.e., real traces. Ideally, the utility ofsynthetic traces should be much better (smaller) than that ofUniform and close to that of Real.

Fig. 7 shows that TransMat provides poor utility (almostthe same as Uniform) in terms of VF-TV. This is becauseTransMat generates traces using parameters common to allusers. Consequently, all users spend almost the same amountof time on each POI. In other words, TransMat cannot preserveuser-specific features.

In contrast, Proposal provides high utility in all utility met-rics in the same way as PPMTF. This is because virtual userprofiles A(t) in Proposal preserve very similar statistical fea-tures to user profiles A in PPMTF.Summary. In summary, the existing synthesizers lack ei-ther diversity or utility (user-specific features). Thus, theycannot be applied to an anonymization contest in the partial-knowledge attacker model. In contrast, Proposal providesboth diversity and utility. Thus, it plays a unique and signifi-cant role in the contest.

5 Design of a Location Anonymization Con-test

Based on our location synthesizer, we design a location traceanonymization contest that evaluates both the re-identificationrisk and trace inference (a.k.a. tracking [55]) risk. Section 5.1explains the purpose of our contest. Section 5.2 describesthe overview of our contest. Finally, Section 5.3 explains thedetails of our contest.

7

5.1 Purpose

As described in Section 1, a location trace anonymizationcontest is useful for technical and educational purposes. Themain technical purpose is to better understand anonymiza-tion methods for traces. In particular, we pose the followingquestions for a technical purpose:

1. Is an anonymization method that has security againstre-identification also secure against trace inference?

2. Is an anonymization method that has security againsttrace inference also secure against re-identification?

Re-identification attacks find a mapping between pseudonymsand user IDs [24, 41, 42, 55]. Trace inference attacks inferthe whole locations in the original traces from anonymizedtraces [55]. In Section 6.1, we show that the answer to thefirst question is not always yes by showing a counterexample– the cheating anonymization [33] is perfectly secure againstre-identification but not secure against trace inference.

Thus, the remaining question is the second one. Note thatif we do not appropriately pseudonymize traces, we can finda trivial counterexample for this. As an extreme example,assume that we delete all (or almost all) locations in the origi-nal traces and pseudonymize each trace so that a pseudonymincludes the corresponding user ID (e.g., pseudonyms of v1and v2 are “10001-v1” and “10002-v2”, respectively). Clearly,such anonymization is secure against trace inference but notsecure against re-identification.

However, finding an answer to the second question be-comes non-trivial when we appropriately pseudonymize (ran-domly shuffle) traces. If the answer is yes, then one promisingapproach for anonymization would be to make traces secureagainst trace inference. This is because it also implies securityagainst re-identification. However, empirical evidence (or acounterexample) for this answer has not been well establishedin the literature, especially in a situation where both defenseand attack compete together.

Thus, we design our contest to find an answer to the secondquestion under the presence of appropriate pseudonymization.

5.2 Overview of Our Contest

We design our contest to achieve the purpose explained above.Fig. 8 shows its overview.

First of all, an organizer in our contest performspseudonymization (which is important but technically triv-ial) in place of each team to guarantee that pseudonymiza-tion is appropriately done. Thus, each team obfuscates tracesand sends the traces to the organizer. Then the organizerpseudonymizes the traces, i.e., randomly shuffles the tracesand adds pseudonyms.

Each team obfuscates its original traces so that itsanonymized traces are secure against trace inference while

x1 x3 x2

Original TracesUsers

x4 x5 x5

x3 x4 x4

x1

x4

x4

Anonymized TracesNyms

2001

Obfuscated TracesUsers

Obfuscation (Each Team) Pseudonymization (Organizer)

2002

2003

v1

v2

v3

v1

v2

v3

x1 x2 x1

Reference TracesUsers

x4 x5 x5

x3 x3 x4

x1

x5

x2

v1

v2

v3

Usersv2

v3

v1

Nyms

2001

2002

2003

x1 x1 x2

Inferred TracesUsers

x4 x5 x3

x4 x2 x1

x4

x4

x4

v1

v2

v3

Privacy Attacks(The Other Teams)

Re-identification Trace Inference

Figure 8: Overview of our contest. Gray squares representthat locations are obfuscated.

keeping high utility. Then the other teams attempt both re-identification and trace inference against the anonymizedtraces. They perform these attacks using reference traces,which are separated from the original traces. For example, thereference traces are traces of the same users on different days.The reference traces play a role as background knowledge ofthe adversary.

For each team, we evaluate three scores: utility score, re-identification privacy score, and trace inference privacy score.Every score takes a value between 0 and 1 (higher is better).We regard an anonymized trace as valid (resp. invalid) if itsutility score is larger than or equal to (resp. below) a pre-determined threshold. For an invalid trace, we set its privacyscores to 0.

Then we give the best anonymization award to a team whoachieves the highest trace inference privacy score3. We alsogive the best re-identification (resp. trace inference) award toa team who contributes the most in lowering re-identification(resp. trace inference) privacy scores for the other teams.

The best anonymization award motivates each team toanonymize traces so that they are secure against trace in-ference. The other two awards motivate each team to makeevery effort to attack them in terms of both re-identificationand trace inference. Consequently, we can see whetheranonymized traces intended to have security against traceinference are also secure against re-identification.

Remark 1. Note that each team competes for privacy whilesatisfying the utility requirement in our contest. Each teamdoes not compete for utility while satisfying the privacy re-quirement, because we would like to investigate the relation-ship between two privacy risks: re-identification and traceinference. We note, however, that our location synthesizer inSection 3 is general in that it can be applied to the latter typeof contest.

3We also gave an award to a team who achieved the highest re-identification privacy score. Specifically, we distributed two sets of locationdata for each team: one for a re-identification challenge and another for atrace inference challenge. In the re-identification (resp. trace inference) chal-lenge, each team competed together to achieve the highest re-identification(resp. trace inference) privacy score, and the winner got an award. We omitthe re-identification challenge in this paper.

8

x1024x993 x994 x995

x32x1 x2 x3

x64x33 x34 x35

x96x65 x66 x67

139.68 139.8Longitude35.65

35.75

Latitude

SNS-based People FlowData Location Data in Our Contest0.0030

0.0025

0.0020

0.0015

0.0010

0.0005

0.0000

0.0030

0.0025

0.0020

0.0015

0.0010

0.0005

0.0000

Figure 9: Regions and population distributions at 12:00. Blueand green squares represent Shinjuku and Akihabara, respec-tively. These areas are crowded in both the SNS-based peopleflow data and location data in our contest.

Remark 2. Our synthesizer is also useful for a contest that re-leases aggregate location time-series (time-dependent popula-tion distributions) [52]. Our contest follows a general locationprivacy framework in [55] and releases anonymized traces.This is because the anonymized traces are useful for a verywide range of applications such as POI recommendation [38]and geo-data analysis, as shown in Appendix F.Remark 3. In our contest, we kept the algorithm of oursynthesizer secret from all teams. However, we argue that acontest would be interesting even if the algorithm is madepublic. Specifically, if each team Pt keeps virtual user profilesA(t) in Fig. 5 private, the other teams cannot obtain informa-tion on how each virtual user in team Pt behaves; e.g., somemay often go to restaurants, others may commute by train.Thus, both attacks and defenses are still very challenging andinteresting.

5.3 Details of Our ContestBelow we describe the details of our contest such as scenarios,datasets, contest flow, anonymization, privacy attacks, andutility and privacy scores.Scenarios. A typical scenario considered in our contest isgeo-data analysis in a centralized model [22], where an LBSprovider anonymizes location traces before providing themto a (possibly malicious) data analyst.

Another promising scenario is LBS with an intermediateserver [5, 25]. In this scenario, each user sends her traces toa trusted intermediate server. Then the intermediate serveranonymizes the traces of the users and sends them to a (pos-sibly malicious) LBS provider. Finally, each user receivessome services from the LBS provider through the intermedi-ate server based on her anonymized traces, e.g., POI recom-mendation [38].

In both of the scenarios, an adversary does not know theoriginal traces and obtains the anonymized traces.Datasets. We generate synthetic traces for each team usingour location synthesizer4. Specifically, we use the SNS-based

4In our contest, we slightly modified our synthesizer in Section 3 to makesynthetic traces more realistic in that users tend to be at their home between8:00 and 9:00 and 17:00 and 18:00 while keeping statistical information (e.g.,population distribution, transition matrix). We omit the details for lack ofspace.

Table 1: Location Data in Our ContestNumber of users m = 2000

Number of regions |X |= 1024 (= 32×32)Trace length lo = lr = 400 (from 8 : 00 to 18 : 00

for 20 days with 30 minutes interval)

Original Traces Obfuscated Traces ID Table

𝑓(𝑡)𝑂(𝑡)Anonymized Traces

Obfuscation Pseudonymization(Shuffling)

Utility Score 𝑠𝑈(𝑡)

Reference TracesRe-identification by Team 𝑃𝑡′

Privacy Score against

Trace Inference 𝑠𝑇(𝑡 ,𝑡′ )

Anonymization Phase

Privacy Attack Phase

𝑅(𝑡)

𝑂∗(𝑡) 𝐴(𝑡)

𝑓(𝑡 ,𝑡′ )

𝑂(𝑡 ,𝑡′ )

Inferred Traces

Inferred ID Table

Privacy Score against

Re-identification 𝑠𝑅(𝑡 ,𝑡′ )

Trace Inference by Team 𝑃𝑡′

Figure 10: Contest flow for team Pt (t ∈ [τ]). Re-identificationand trace inference are performed by another team Pt ′ (t ′ 6= t).Utility and privacy scores are calculated by judge Q.

people flow data [46] (Tokyo) as training traces of our locationsynthesizer. We divide Tokyo equally into 32× 32 regions(|X |= 1024) and assign region IDs sequentially from lower-left to upper-right. The size of each region is approximately347m (height)× 341m (width). The left panel of Fig. 9 showsthe regions in our contest.

From the training traces, we generate synthetic traces ofm = 2000 virtual users for each team using our location syn-thesizer. For each virtual user, we generate traces from 8:00 to18:00 for 40 days with a time interval of 30 minutes. We usetraces of the former 20 days as reference traces and the latter20 days as original traces. Let lo, lr ∈N be the length of a train-ing trace and reference trace, respectively. Then lo = lr = 400.Table 1 summarizes location data in our contest.

The middle and right panels of Fig. 9 show populationdistributions at 12:00 in the SNS-based people flow data andsynthetic traces in our contest, respectively. These panelsshow that the synthetic traces preserve the time-dependentpopulation distribution.

Let O(t) and R(t) be sets of original traces and referencetraces and for team Pt , respectively.Contest Flow. Fig. 10 shows our contest flow. In our contest,an organizer plays a role as a judge who distributes tracesfor each team and evaluates privacy and utility scores of eachteam. Let Q be a judge. Teams P1, · · · ,Pτ and judge Q partici-pate in our contest.

In the anonymization phase, judge Q distributes originaltraces O(t) to each team Pt . Team Pt obfuscates O(t). Let O∗(t)

be obfuscated traces of team Pt . Team Pt submits obfuscatedtraces O∗(t) to Q. After receiving O∗(t), Q pseudonymizesO∗(t) by randomly shuffling m traces in O∗(t) and then se-

9

quentially assigning pseudonyms. Consequently, Q obtainsanonymized traces A(t) and an ID table f (t), which is a set ofpairs between user IDs and pseudonyms. Q keeps f (t) secret.

Judge Q calculates a utility score s(t)U ∈ [0,1] using originaltraces O(t) and obfuscated traces O∗(t). Then Q comparess(t)U with a threshold sreq ∈ [0,1] that is publicly available. Ifs(t)U ≥ sreq, then Q regards anonymized traces A(t) as valid

(otherwise, invalid). Note that s(t)U is calculated from O(t)

and O∗(t). Thus, Pt can check whether A(t) are valid beforesubmitting O∗(t) to Q.

In the privacy attack phase, judge Q distributes all validanonymized traces and all reference traces to all teams.Then each team attempts re-identification and trace inferenceagainst the valid anonymized traces of the other teams usingtheir reference traces.

Assume that team Pt ′ (t ′ 6= t) attacks valid anonymizedtraces A(t) of team Pt . As re-identification, team Pt ′ infersuser IDs corresponding to pseudonyms in A(t) using referencetraces R(t). Team Pt ′ creates an inferred ID table f (t,t

′), whichis a set of pairs between inferred user IDs and pseudonyms,and submits it to judge Q. As trace inference, team Pt ′ infersall locations in original traces O(t) from A(t) using R(t). TeamPt ′ creates inferred traces O(t,t ′), which include the inferredlocations, and submits it to Q.

Judge Q calculates a re-identification privacy score s(t,t′)

R ∈[0,1] using ID table f (t) and inferred ID table f (t,t

′). Q alsocalculates a trace inference privacy score s(t,t

′)T ∈ [0,1] using

original traces O(t) and inferred traces O(t,t ′).Note that anonymized traces A(t) get τ− 1 attacks from

the other teams. They also get attacks from some samplealgorithms for re-identification and trace inference, which aredescribed in Section 6.1. Judge Q calculates privacy scoresagainst all of these attacks and finds the minimum privacyscore. Let s(t)R,min (resp. s(t)T,min) ∈ [0,1] be the minimum re-identification (resp. trace inference) privacy score of team Pt .s(t)R,min and s(t)T,min are final privacy scores of team Pt ; i.e., weadopt a privacy score by the strongest attack.

Pseudonymized Traces. In the privacy attack phase, judgeQ also distributes pseudonymized traces prepared by Q andmakes each team attack these traces. The purpose of this is tocompare the privacy of each team’s anonymized traces withthat of the pseudonymized traces; i.e., they play a role as abenchmark.

The pseudonymized traces are generated as follows. JudgeQ generates reference traces R(τ+1) and original traces O(τ+1)

for team P(τ+1) (who does not participate in the contest). ThenQ makes anonymized traces A(τ+1) by only pseudonymization.Finally, Q distributes A(τ+1) and R(τ+1), and each team Ptattempts privacy attacks against A(τ+1) using R(τ+1).

Awards. As described in Section 5.1, awards are importantto make both defense and attack complete together. We give

4 2

5 3

6 1

4 5 ∅

4 6 ∅

4 7 5

4 8 5

5 5 ∅

5 6 3

5 7 3 4

5 8 1 2 3

6 5 2

6 6 3

6 7 2 4 5

6 8 ∅

1 5 2

1 6 3

1 7 2 4 5

1 8 ∅

2 5 ∅

2 6 ∅

2 7 5

2 8 5

3 5 ∅

3 6 3

3 7 3 4

3 8 1 2 3

1 5 1

1 6 3

1 7 2

1 8 1

2 5 4

2 6 4

2 7 5

2 8 5

3 5 3

3 6 4

3 7 4

3 8 4

User IDs Time RegionIDs

User IDs TimeRegionIDs

NymsTime RegionIDs

User IDsNyms

Original Traces 𝑶(𝒕) Obfuscated Traces 𝑶∗(𝒕)

ID Table 𝒇(𝒕)

Anonymized Traces 𝑨(𝒕)

1 5 1

1 6 1

1 7 2

1 8 4

2 5 4

2 6 4

2 7 5

2 8 3

3 5 4

3 6 2

3 7 4

3 8 1

User IDs Time RegionIDs

Inferred Traces 𝑶(𝒕,𝒕′ )

4 2

5 2

6 1

User IDsNyms

Inferred ID Table 𝒇(𝒕,𝒕′ )

Figure 11: Example of anonymization and privacy attacks.Obfuscated locations are marked with red. “2 4 5” repre-sents generalized locations {x2,x4,x5}. “ /0” represents dele-tion. Correct user/region IDs are marked with blue.

the best anonymization award to a team Pt who achieves thehighest trace inference privacy score s(t)T,min among all teams.We also give the best re-identification (resp. trace inference)award to a team Pt ′ whose ∑

τ+1t=1 s(t,t

′)R (resp. ∑

τ+1t=1 s(t,t

′)T ) is the

lowest among all teams.Anonymization. In the anonymization phase, team Pt obfus-cates its original traces O(t). In our contest, we allow fourtypes of processing for each location:

1. No Obfuscation: Output the original location as is; e.g.,x1→ x1.

2. Perturbation (Adding Noise): Replace the original lo-cation with another location; e.g., x1→ x2.

3. Generalization: Replace the original location with aset of multiple locations; e.g., x1 → {x1,x3}, x1 →{x2,x3,x5}. Note that the original location may not beincluded in the set.

4. Deletion: Replace the original location with an emptyset /0 representing deletion; e.g., x1→ /0.

Let Y be a finite set of outputs after applying one of the fourtypes of processing to a location. Then Y is represented as apower set of X ; i.e., Y = 2X . In other words, we accept allpossible operations on each location.

Then judge Q pseudonymizes obfuscated traces O∗(t).Specifically, Q randomly permutes 1, · · · ,m and sequentiallyassign pseudonyms m+1, · · · ,2m.

The left panel of Fig. 11 shows an example of anonymiza-tion, where user IDs and region IDs are subscripts of usersand regions, respectively. In this example, pseudonyms 2001,2002, and 2003 correspond to user IDs 2, 3, and 1, respec-tively; i.e., f (t) = {(2001,2),(2002,3),(2003,1)}.Privacy Attack. In the privacy attack phase, team Pt ′ (t ′ 6= t)attempts privacy attacks against (valid) anonymized traces

10

A(t) of team Pt using reference traces R(t). Specifically, teamPt ′ creates an inferred ID table f (t,t

′) and inferred traces O(t,t ′)

for re-identification and trace inference, respectively. Here weallow Pt ′ to identify multiple pseudonyms in A(t) as the sameuser ID.

The right panel of Fig. 11 shows an example of re-identification and trace inference. In this example, f (t,t

′) ={(2001,2),(2002,2),(2003,1)}.

Utility Score. Anonymized traces A(t) are useful for vari-ous geo-data analysis tasks, e.g., mining popular POIs [68],auto-tagging POI categories [19, 65], and modeling humanmobility patterns [37, 58]. They are also useful for LBS suchas POI recommendation [38] in the intermediate server model(described in Section 5.2 “Scenarios”). To accommodate a va-riety of purposes, we adopt a versatile utility score s(t)U ∈ [0,1].

Specifically, it would be natural to consider that the utilitydegrades as the distance between an original location anda noisy location becomes larger. The utility would be com-pletely lost when the distance exceeds a certain level or whenthe original location is deleted.

Taking this into account, we define the utility score s(t)U .Our utility score is similar to the service quality loss (SQL)[3,12,56] for perturbation in that the utility is measured by theexpected Euclidean distance between original locations andobfuscated locations. Our utility score differs from the SQLin two ways: (i) we deal with perturbation, generalization, anddeletion; (ii) we assume the utility is completely lost whenthe distance exceeds a certain level or the original location isdeleted.

Formally, let d : X ×X → R≥0 be a distance function thattakes two locations xi,x j ∈ X as input and outputs their Eu-clidean distance d(xi,x j) ∈ R≥0. Since the location data areregions in our contest, we define d(xi,x j) as the Euclidean dis-tance between center points of region xi and x j. For example,d(x1,x2) = 341m and d(x1,x34) =

√3472 +3412 = 487m in

our contest, as the size of each region is 347m (height) ×341m (width).

We calculate the Euclidean distance between each locationin O(t) and the corresponding location(s) in O∗(t). For i ∈[m] and j ∈ [lo], let α

(t)i, j ∈ R≥0 be the Euclidean distance

between the j-th locations in the original and obfuscatedtraces for user v(t)i . α

(t)i, j takes the average Euclidean distance

for generalization, and ∞ for deletion. For example, α(t)1,1 =

d(x1,x2), α(t)1,2 = d(x3,x3) = 0, α

(t)1,3 =

d(x2,x2)+d(x2,x4)+d(x2,x5)3 ,

and α(t)1,4 = ∞ in Fig. 11.

Finally, we use a piecewise linear function gU shown in theleft of Fig. 12 to transform each α

(t)i, j into a score value from

0 to 1 (higher is better). Then we calculate the utility scores(t)U by taking the average of mlo scores.

Specifically, let gU : R≥0→ [0,1] be a function that takes

1

0

1

0

𝑔𝑈(𝛼)

𝛼𝜆𝑈

𝑔𝑇(𝛽)

𝛽𝜆𝑇

Figure 12: Piecewise linear functions gU and gT .

α ∈ R≥0 as input and outputs the following score:

gU (α) =

{1− α

λU(if α < λU )

0 (if α≥ λU ),

where λU ∈ R≥0 is a threshold. Using this function, we cal-culate the utility score s(t)U as follows:

s(t)U = 1mlo ∑

mi=1 ∑

loj=1 gU (α

(t)i, j ).

For example, if we do not obfuscate any location, then s(t)U = 1.If we delete all locations or the Euclidean distance exceedsλU for all locations, then s(t)U = 0.

In our contest, we set the threshold λU to λU = 2km andthe threshold sreq of the utility score (for determining whetheranonymized traces are valid) to sreq = 0.7. In Appendix F,we also show that valid anonymized traces have high utilityfor a variety of purposes such as POI recommendation andgeo-data analysis.Re-identification Privacy Score. A re-identification privacyscore s(t,t

′)R ∈ [0,1] is calculated by comparing ID table f (t)

with inferred ID table f (t,t′).

In our contest, we calculate s(t,t′)

R based on the re-identification rate [24, 41, 43], a proportion of correctly iden-tified pseudonyms. Specifically, we calculate s(t,t

′)R by sub-

tracting the re-identification rate from 1 (higher is better). Forexample, s(t,t

′)R = 1− 2

3 = 13 in Fig. 11.

Trace Inference Privacy Score. A trace inference privacyscore s(t,t

′)T ∈ [0,1] is calculated by comparing original traces

O(t) with inferred traces O(t,t ′).In our contest, we define s(t,t

′)T based on the expected Eu-

clidean distance between original locations and inferred lo-cations [55, 56]. Specifically, we assume that the privacyincreases as the distance between an original location andinferred location becomes larger (as in [55, 56]). We also as-sume that the adversary completely fails to infer the originallocation when the distance exceeds a certain level.

Formally, for i∈ [m] and j ∈ [lo], let β(t,t ′)i, j ∈R≥0 be the Eu-

clidean distance between the j-th locations in the original andinferred traces for user v(t)i . For example, β

(t,t ′)1,1 = d(x1,x1),

β(t,t ′)1,2 = d(x3,x1), β

(t,t ′)1,3 = d(x2,x2), and β

(t,t ′)1,4 = d(x1,x4) in

Fig. 11.We use a piecewise linear function gT in the right of Fig. 12

to transform each β(t,t ′)i, j into a score value from 0 to 1 (higher

11

is better). Specifically, let gT : R≥0→ [0,1] be a function thattakes β ∈ R≥0 as input and outputs the following score:

gT (β) =

{β

λT(if β < λT )

1 (if β≥ λT ),

where λT ∈ R≥0 is a threshold. In our contest, we set λT =2km. By using gT , we obtain mlo scores.

Here we consider regions that include hospitals (referredto as hospital regions) to be especially sensitive. There are37 hospital regions in the SNS-based people flow data [46].Since sensitive locations need to be carefully handled, wecalculate the privacy score s(t,t

′)T by taking a weighted average

of mlo scores, where a weight is 10 for hospital regions and 1for the others.

Thus, we calculate the privacy score s(t,t′)

T as:

s(t,t′)

T =∑

mi=1 ∑

loj=1 wi, jgT (β

(t,t′)i, j )

∑mi=1 ∑

loj=1 wi, j

,

where wi, j ∈ {1,10} is a weight variable that takes 10 if thej-th location in the original trace of user v(t)i is a hospitalregion, and 1 otherwise. If the inferred traces are perfectlycorrect (O(t) = O(t,t ′)), then s(t,t

′)T = 0.

6 Contest Results

In our contest, we first showed that the cheating anonymiza-tion [33] is not secure against trace inference through prelimi-nary experiments. We released the results to all teams beforethe contest. Then we held our contest to answer the secondquestion in Section 5.1.

Sections 6.1 and 6.2 report the results of preliminary exper-iments and our contest, respectively. Section 6.3 explains ourfindings obtained through the contest.

6.1 Preliminary ExperimentsDataset. We used the SNS-based people flow data [46] (Os-aka). We divided Osaka into 32× 32 regions (|X | = 1024),and extracted training traces from 8:00 to 18:00 for 4071 users(|U|= 4071). We trained our location synthesizer using thetraining traces.

Then we generated reference traces R(0) and original tracesO(0) for m = 2000 virtual users in one team (whose teamnumber is t = 0) using our synthesizer. Each trace includeslocations from 8:00 to 18:00 for 20 days with time interval of30 minutes (lo = lr = 400).Sample Algorithms. We implemented some sample algo-rithms for obfuscation, re-identification, and trace inference.We anonymized the original traces O(0) by using each sampleobfuscation algorithm. Then we performed privacy attacksby using each sample re-identification or trace inference algo-rithm.

For obfuscation, we implemented the following algorithms:

• No Obfuscation: Output the original location as is. Inother words, we perform only pseudonymization.

• MRLH(µx,µy,λ): Merging regions and location hidingin [55]. It generalizes each region in the original traceby dropping lower µx (resp. µy) bits of the x (resp. y)coordinate expressed as a binary sequence and deletesthe region with probability λ. For example, the x (resp. y)coordinate of x2 is 00001 (resp. 00000) in Fig. 9. Thus,given input x2, MRLH(1,1,0.8) outputs {x1,x2,x33,x34}with probability 0.2 and deletes x2 with probability 0.8.

• RR(ε): The |X |-ary randomized response in [29]. It out-puts the original region with probability eε

|X |−1+eε , andoutputs another region at random with the remainingprobability. It provides ε-DP for each region.

• PL(l,r): The planar Laplace mechanism [3]. It per-turbs each region in the original trace according to theplanar Laplacian distribution so that it provides l-DPwithin r km. This privacy property is known as ε-geo-indistinguishability [3], where ε = l/r.

• Cheat(p): The cheating anonymization [33]. It selectsthe first p (0≤ p≤ 1) of all users as a subset of users, andrandomly shuffles the whole traces within the subset (asin Fig. 1). Note that this is excessive location obfuscationrather than pseudonymization.

For re-identification and trace inference algorithms, we devel-oped some simple algorithms (two for re-identification andtwo for trace inference). All of them are based on a visit prob-ability vector, which is composed of the visit probability foreach region. We calculate the visit probability vector for eachvirtual user based on R(0). Then we perform re-identificationor trace inference for each anonymized trace in O(0) using thevisit probability vectors. See Appendix B for more details.

We also published the sample algorithms as open-sourcesoftware [2].Results. For each sample obfuscation algorithm, we calcu-lated the minimum re-identification (resp. trace inference)privacy score s(0)R,min (resp. s(0)T,min) over the sample attack algo-rithms. Fig. 13 shows the results.

Overall, there is a positive correlation between the re-identification privacy score s(0)R,min and the trace inference

privacy score s(0)T,min. However, there is a clear exception –

cheating anonymization. In cheating anonymization, s(0)R,minincreases with increase in the parameter p. When p = 1 (i.e.,when we shuffle all users), s(0)R,min is almost 1. In other words,the re-identification rate is almost 0 for Cheat(1). This isbecause the adversary cannot find which permutation is cor-rect, as described in Section 1. Thus, the adversary cannotre-identify traces with higher accuracy than a random guess

12

No obfuscation MRLH RR PL Cheat

0.8

0.9

1

0.5

Pri

vacy

Sco

re𝑠 𝑇

,𝑚𝑖𝑛

(0)

(Tra

ce I

nfer

ence

)

0.6

0.7

0.50.6 0.7 0.8 0.9 1

Privacy Score 𝑠𝑅 ,𝑚𝑖𝑛(0)

(Re-identification)

(1)(0.9)(0.8)(0.7)(0.6)(0.5)(0.4)(0.3)(0.2)

(0.1)(14)

(12)(10)

(8)

(6)

(4)(0.1)

(0.1,1)

(1,1)

(2)

(2,1)

(4,1)(3,1)

(5,1)(6,1)(7,1)

(1,1,0.8)(0,0,0.8)

(0,0,0.5)

(0,0,0.2)

(0,0,0.1)(1,1,0)

(1,1,0.1)

(1,1,0.5)

(1,1,0.2)

Figure 13: Minimum privacy scores of the sample algorithms(higher is better). The numbers in parentheses represent theparameters in the sample algorithms.

(= 1/2000). However, s(0)T,min does not increase with increase

in p, and s(0)T,min of Cheat(1) is almost the same as that of NoObfuscation. This means that the adversary can recover theoriginal traces from anonymized traces without accuratelyre-identifying them.

We can explain why this occurs as follows. Suppose thatthe adversary has reference traces highly correlated with theoriginal traces in the example of Fig. 1. First, this adversarywould re-identify 10001 as v2, which is incorrect. Then, theadversary may recover the trace of v2 as x1→ x1→ x1→ x2because they are included in the anonymized trace of 10001.This is perfectly correct.

This example explains the intuition that the cheatinganonymization is insecure – the adversary can easily recoverthe original traces from the anonymized traces, even if shecannot accurately re-identify them. Fig. 13 clearly shows thatthe re-identification alone is insufficient as a privacy risk forthe cheating anonymization.

6.2 ContestNumber of Teams. We released Fig. 13 to all teams, andheld the contest. 21 teams participated in our contest (τ = 21).

In the anonymization phase, 18 teams submitted their obfus-cated traces so that the anonymized traces were secure againsttrace inference. We set the threshold sreq of the utility scoreto sreq = 0.7, as described in Section 5.3. The anonymizedtraces of 17 (out of 18) teams were valid. In the privacy attackphase, each team attempts re-identification and trace inferenceagainst the valid anonymized traces of the other teams andpseudonymized traces prepared by the organizer. Then weevaluated the minimum privacy scores s(t)R,min and s(t)T,min for theanonymized traces of the 17 teams and the pseudonymizedtraces.Results. Fig. 14 shows the results. It shows that there is astrong correlation between the re-identification privacy scores(t)R,min and the trace inference privacy score s(t)T,min (the correla-tion coefficient is 0.90). We will discuss the reason for thislater in detail.

0.8

0.6

0.4

0.2

00 0.2 0.4 0.80.6

Pri

vacy

Sco

re𝑠 𝑇

,𝑚𝑖𝑛

(𝑡)

(Tra

ce I

nfer

ence

)

Privacy Score 𝑠𝑅 ,𝑚𝑖𝑛(𝑡)

(Re-identification)

Valid anonymized traces (17 teams) Pseudonymized traces

Figure 14: Minimum privacy scores of the valid anonymizedtraces of the 17 teams and the pseudonymized traces (higheris better). The correlation coefficient between s(t)R,min and s(t)T,minis 0.90.

Fig. 14 also shows that the privacy of the pseudonymizedtraces is completely violated in terms of both re-identificationand trace inference. This means that attacks by the teams aremuch stronger than the sample attacks.

After the contest, all teams presented their anonymizationand attack algorithms. We also published the submitted filesby all the teams [2]. In Appendices C and D, we also explainthe winner anonymization and attack algorithms in detail,respectively.

6.3 Our FindingsRe-identification and Trace Inference. Fig. 14 shows thatthere is a strong correlation between two privacy scores s(t)R,min

and s(t)T,min.The reason for this can be explained as follows. In our

contest, we gave the best anonymization award to a teamwho achieved the highest privacy score s(t)T,min against traceinference. Thus, no team used the cheating anonymizationthat was not effective for trace inference5. Consequently, eachteam had to re-identify traces and then de-obfuscate tracesto recover the original traces. In other words, it was difficultto accurately recover the original traces without accuratelyidentifying them. Moreover, all the traces were appropriatelypseudonymized (randomly shuffled) by the organizer in ourcontest. Thus, re-identification was also difficult for tracesthat were well obfuscated. In this case, the accuracy of re-identification is closely related to the accuracy of trace infer-ence. The team who won the best anonymization award alsoobfuscated traces so that re-identification was difficult (seeAppendix C for details of the winner algorithm).

In summary, under the presence of appropriatepseudonymization, the answer to the second question

5Another reason for not using the cheating anonymization is that it hasa non-negligible impact on utility for our utility measure that performs acomparison trace by trace. However, even if we use a utility measure inwhich the cheating anonymization does not have any impact on utility (e.g.,utility of aggregate information [52]), this anonymization is still not effectivefor trace inference. Therefore, our conclusion here would not be changed.

13

in Section 5.1 was yes in our contest.

Winner Algorithms. In Appendices C and D, we explainthe winner algorithms. Here we briefly explain their overviewand how they differ from existing ones.

In a nutshell, the winner anonymization algorithm obfus-cates traces using k-means clustering so that re-identificationis difficult within each cluster. It is somewhat similar to k-anonymity based trace obfuscation [4, 16, 25]. However, itdiffers from [4, 16, 25] in that the winner algorithm does notprovide k-anonymity which requires too much noise for longtraces. It is well known that both k-anonymity and DP destroyutility for long traces [3, 4, 51]. Thus we need to look beyondthese notions to achieve high utility for long traces.

The winner attack algorithm introduces a fuzzy countingtechnique that counts each region in the reference trace andits surrounding regions to construct an attack model. Existingwork [24, 41, 55] and our sample algorithms in Appendix Bonly count each region in the reference trace to construct anattack model. Thus, the fuzzy counting technique is morerobust to small changes in the locations. In fact, the winneralgorithm provides much better attack accuracy than our sam-ple algorithms. Fuzzy counting is also simple and much moreefficient than complicated attacks such as [42, 44]. Specifi-cally, the time complexity of fuzzy counting is O(m(lr+ |X |)),whereas that of [42, 44] is O(mlr|X |2).

The winner algorithms can also be used outside the chal-lenge context. In fact, the anonymization algorithm is usefulfor a variety of purposes such as POI recommendation andgeo-data analysis, as explained below.

Utility. In Appendix F, we also show that the validanonymized traces of the 17 teams are useful for variousapplications. Specifically, we show that they have high util-ity in POI recommendation [38] and geo-data analysis (e.g.,mining popular POIs [68], modeling human mobility pat-terns [37, 58]). This comes from the fact that our contestfollows a general location privacy framework in [55]. SeeAppendix F for more details.

Fairness. Finally, we note that the diversity of location tracesmay raise a fairness issue. For example, even if all teamsapply the same algorithms, privacy scores can be differentamong the teams.

In Appendix E, we evaluate the fairness of our contest.Specifically, we evaluate the variance of privacy scores againstthe same attack algorithm and show that it is small. For exam-ple, the standard deviation of re-identification privacy scoresis about 0.01 or less, which is much smaller than the differencebetween the best privacy score (= 0.79) and the second-bestprivacy score (= 0.67). See Appendix E for more details.

7 Conclusion

We held the first location trace anonymization contest usingthe first location synthesizer that has diversity and utility. Our

contest results showed that an anonymization method secureagainst trace inference is also secure against re-identificationin a situation where both defense and attack compete together.

In our contest, we used an average privacy metric over allusers (e.g., re-identification rate [24, 41, 43]) to make the con-test rule simple and easy to understand for all teams. However,this metric may not guarantee strong privacy for some users.Moreover, DP cannot be used for long traces, as described inSection 1. Thus, we need to adopt other metrics (e.g., min-entropy [57], plausible deniability [9]) to guarantee privacyfor every user or adopt complementary metrics (e.g., condi-tional entropy [50]) to strengthen privacy. For future contests,we would like to comprehensively explore reasonable privacymetrics for long traces. Another interesting avenue of futurework would be designing a membership inference contest fortraces or aggregate time-series [52].

Acknowledgments

The authors would like to thank Sébastien Gambs (UQAM)for technical comments on this paper. The authors wouldlike to thank Takuma Nakagawa (NSSOL) for providing theinformation on the anonymization algorithm in Appendix C.The authors would also like to thank all teams for participatingin our contest. This study was supported in part by JSPSKAKENHI JP18H04099 and JP19H04113.

References

[1] Tool: Location synthesizer for anonymization contests.https://github.com/LocSyn/LocSyn.

[2] PWS Cup 2019. https://pwscup.github.io/pwssite/2019/pwscup19.html, 2019.

[3] Miguel E. Andrés, Nicolás E. Bordenabe, Konstanti-nos Chatzikokolakis, and Catuscia Palamidessi. Geo-indistinguishability: Differential privacy for location-based systems. In Proceedings of the 20th ACM Con-ference on Computer and Communications Security(CCS’13), pages 901–914, 2013.

[4] Claudio Bettini, Sushil Jajodia, Pierangela Samarati, andSean X. Wang. Privacy in Location-Based Applications:Research Issues and Emerging Trends. Springer, 2009.

[5] Claudio Bettini, X. Sean Wang, and Sushil Jajodia. Pro-tecting privacy against location-based personal identifi-cation. In Proceedings of the 2nd VLDB Workshop onSecure Data Management (SDM’05), pages 185–199,2005.

[6] Igor Bilogrevic, Kévin Huguenin, Murtuza Jadliwala,Florent Lopez, Jean-Pierre Hubaux, Philip Ginzboorg,and Valtteri Niemi. Inferring social ties in academic

14

networks using short-range wireless communications.In Proceedings of the 12th ACM Workshop on Privacyin the Electronic Society (WPES’13), pages 179–188,2013.

[7] Laurent Bindschaedler, Murtuza Jadliwala, Igor Bilogre-vic, Imad Aad, Philip Ginzboorg, Valtteri Niemi, andJean-Pierre Hubaux. Track me if you can: On the effec-tiveness of context-based identifier changes in deployedmobile networks. In Proceedings of the 19th Networkand Distributed System Security Symposium (NDSS’12),pages 1–17, 2012.

[8] Vincent Bindschaedler and Reza Shokri. Synthetic lo-cation traces generator (sglt). https://vbinds.ch/node/70.

[9] Vincent Bindschaedler and Reza Shokri. Synthesizingplausible privacy-preserving location traces. In Pro-ceedings of the 2016 IEEE Symposium on Security andPrivacy (S&P’16), pages 546–563, 2016.

[10] Vincent Bindschaedler, Reza Shokri, and Carl A. Gunter.Plausible deniability for privacy-preserving data synthe-sis. Proceedings of the VLDB Endowment, 10(5):481–492, 2017.

[11] Nicolas Bonneel, Julien Rabin, Gabriel Peyré, andHanspeter Pfister. Sliced and radon wasserstein barycen-ters of measures. Journal of Mathematical Imaging andVision, 51(1):22–45, 2015.

[12] Nicolas E. Bordenabe, Konstantinos Chatzikoko-lakis, and Catuscia Palamidessi. Optimal geo-indistinguishable mechanisms for location privacy. InProceedings of the 21st ACM Conference on Computerand Communications Security (CCS’14), pages 251–262, 2014.

[13] Rui Chen, Gergely Acs, and Claude Castelluccia. Differ-entially private sequential data publication via variable-length n-grams. In Proceedings of the 19th ACM Con-ference on Computer and Communications Security(CCS’12), pages 638–649, 2012.

[14] Rui Chen, Benjamin C. M. Fung, Bipin C. Desai, andNériah M. Sossou. Differentially private transit datapublication: A case study on the montreal transportationsystem. In Proceedings of the 18th ACM SIGKDD In-ternational Conference on Knowledge Discovery andData Mining (KDD’12), pages 213–221, 2012.

[15] Eunjoon Cho, Seth A. Myers, and Jure Leskovec. Friend-ship and mobility: User movement in location-based so-cial networks. In Proceedings of the 17th ACM SIGKDDInternational Conference on Knowledge Discovery andData Mining (KDD’11), pages 1082–1090, 2011.

[16] Chi-Yin Chow and Mohamed F. Mokbel. Trajectoryprivacy in location-based services and data publication.ACM SIGKDD Explorations Newsletter, 13(1):19–29,2011.

[17] Richard Chow and Philippe Golle. Faking contextualdata for fun, profit, and privacy. In Proceedings of the8th ACM Workshop on Privacy in the Electronic Society(WPES’09), pages 105–108, 2009.

[18] Yves-Alexandre de Montjoye, César A. Hidalgo, MichelVerleysen, and Vincent D. Blondel. Unique in the crowd:The privacy bounds of human mobility. Scientific Re-ports, 3(1376):1–5, 2013.

[19] Trinh Minh Tri Do and Daniel Gatica-Perez. The placesof our lives: Visiting patterns and automatic labelingfrom longitudinal smartphone data. IEEE Transactionson Mobile Computing, 13(3):638–648, 2013.

[20] Josep Domingo-Ferrer, Sara Ricci, and Jordi Soria-Comas. Disclosure risk assessment via record linkageby a maximum-knowledge attacker. In Proceedings ofthe 13th Annual Conference on Privacy, Security andTrust (PST’15), pages 3469–3478, 2015.

[21] Cynthia Dwork. Differential privacy. In Proceed-ings of the 33rd international conference on Automata,Languages and Programming (ICALP’06), pages 1–12,2006.

[22] Cynthia Dwork and Aaron Roth. The Algorithmic Foun-dations of Differential Privacy. Now Publishers, 2014.

[23] Nathan Eagle, Alex Pentland, and David Lazer. Inferringfriendship network structure by using mobile phonedata. Proceedings of the National Academy of Sciences(PNAS), 106(36):15274–15278, 2009.

[24] Sébastien Gambs, Marc-Olivier Killijian, and MiguelNúñez del Prado Cortez. De-anonymization attack ongeolocated data. Journal of Computer and System Sci-ences, 80(8):1597–1614, 2014.

[25] Bugra Gedik and Ling Liu. Protecting location pri-vacy with personalized k-anonymity: Architecture andalgorithms. IEEE Transactions on Mobile Computing,7(1):1–18, 2008.

[26] Xi He, Graham Cormode, Ashwin Machanavajjhala, Ce-cilia M. Procopiuc, and Divesh Srivastava. DPT: Differ-entially private trajectory synthesis using hierarchicalreference systems. Proceedings of the VLDB Endow-ment, 11(8):1154–1165, 2015.

[27] Bargav Jayaraman and David Evans. Evaluating differ-entially private machine learning in practice. In Proceed-ings of the 28th USENIX Security Symposium (USENIXSecurity’19), pages 1895–1912, 2019.

15

[28] James Jordon, Daniel Jarrett, Jinsung Yoon, TavianBarnes, Paul Elbers, Patrick Thoral, Ari Ercole, ChengZhang, Danielle Belgrave, and Mihaela van der Schaar.Hide-and-seek privacy challenge. CoRR, 2007.12087,2020.

[29] Peter Kairouz, Keith Bonawitz, and Daniel Ramage. Dis-crete distribution estimation under local privacy. InProceedings of the 33rd International Conference onMachine Learning (ICML’16), pages 2436–2444, 2016.

[30] Ryo Kato, Mayu Iwata, Takahiro Hara, Akiyoshi Suzuki,Xing Xie, Yuki Arase, and Shojiro Nishio. A dummy-based anonymization method based on user trajectorywith pauses. In Proceedings of the 20th InternationalConference on Advances in Geographic InformationSystems (SIGSPATIAL’12), pages 249–258, 2012.

[31] Suleiman A. Khan and Samuel Kaski. Bayesian multi-view tensor factorization. In Proceeding of the EuropeanConference on Machine Learning and Principles andPractice of Knowledge Discovery in Databases (ECMLPKDD’14), pages 656–671, 2014.

[32] Hidetoshi Kido, Yutaka Yanagisawa, and Tetsuji Satoh.An anonymous communication technique using dum-mies for location-based services. Proceedings of the2005 IEEE International Conference on Pervasive Ser-vices (ICPS’05), pages 88–97, 2005.

[33] Hiroaki Kikuchi, Takayasu Yamaguchi, Koki Hamada,Yuji Yamaoka, Hidenobu Oguri, and Jun Sakuma. Iceand fire: Quantifying the risk of re-identification andutility in data anonymization. In Proceedings of 2016IEEE 30th International Conference on Advanced Infor-mation Networking and Applications (AINA’16), pages1035–1042, 2016.

[34] Hiroaki Kikuchi, Takayasu Yamaguchi, Koki Hamada,Yuji Yamaoka, Hidenobu Oguri, and Jun Sakuma. Astudy from the data anonymization competition pwscup2015. In Proceedings of the 11th International Work-shop, DPM 2016 and 5th International Workshop, QASA2016 (DPM/QASA’16), pages 230–237, 2016.

[35] Soheil Kolouri, Gustavo K. Rohde, and Heiko Hoffmann.Slicedwasserstein distance for learning gaussian mixturemodels. In Proceedings of the 2018 IEEE/CVF Con-ference on Computer Vision and Pattern Recognition(CVPR’18), pages 3427–3436, 2018.

[36] Ninghui Li, Min Lyu, and Dong Su. Differential Pri-vacy: From Theory to Practice. Morgan & ClaypoolPublishers, 2016.

[37] Xin Liu, Yong Liu, Karl Aberer, and Chunyan Miao.Personalized point-of-interest recommendation by min-ing users’ preference transition. In Proceedings of the

22nd ACM international conference on Information &Knowledge Management (CIKM’13), pages 733–738,2013.

[38] Yiding Liu, Tuan-Anh Nguyen Pham, Gao Cong, andQuan Yuan. An experimental evaluation of point-of-interest recommendation in location-based socialnetworks. Proceedings of the VLDB Endowment,10(10):1010–1021, 2017.

[39] Ashwin Machanavajjhala, Johannes Gehrke, DanielKifer, and Muthuramakrishnan Venkitasubramaniam. l-diversity: Privacy beyond k-anonymity. In Proceedingsof the 22nd International Conference on Data Engineer-ing (ICDE’06), pages 24–35, 2006.

[40] Casey Meehan and Kamalika Chaudhuri. Location traceprivacy under conditional priors. In Proceedings of the24th International Conference on Artificial Intelligenceand Statistics (AISTATS’21), pages 2881–2889, 2021.

[41] Yoni De Mulder, George Danezis, Lejla Batina, and BartPreneel. Identification via location-profiling in GSMnetworks. In Proceedings of the 7th ACM Workshopon Privacy in the Electronic Society (WPES’08), pages23–32, 2008.

[42] Takao Murakami. Expectation-maximization tensorfactorization for practical location privacy attacks. Pro-ceedings on Privacy Enhancing Technologies (PoPETs),4:138–155, 2017.

[43] Takao Murakami, Koki Hamada, Yusuke Kawamoto,and Takuma Hatano. Privacy-preserving multiple tensorfactorization for synthesizing large-scale location traceswith cluster-specific features. Proceedings on PrivacyEnhancing Technologies (PoPETs), 2:5–26, 2021.

[44] Takao Murakami, Atsunori Kanemura, and HideitsuHino. Group sparsity tensor factorization for re-identification of open mobility traces. IEEE Transac-tions on Information Forensics and Security, 12(3):689–704, 2017.

[45] Kevin P. Murphy. Machine Learning: A ProbabilisticPerspective. The MIT Press, 2012.

[46] Nightley and Center for Spatial Information Science atthe University of Tokyo (CSIS). SNS-based people flowdata. http://nightley.jp/archives/1954, 2014.

[47] NIST 2018 Differential Privacy Synthetic Data Chal-lenge. https://www.nist.gov/ctl/pscr/open-innovation-prize-challenges/past-prize-challenges/2018-differential-privacy-synthetic, 2018.

16

[48] NIST 2020 Differential Privacy Temporal Map Chal-lenge. https://www.nist.gov/ctl/pscr/open-innovation-prize-challenges/current-and-upcoming-prize-challenges/2020-differential, 2020.

[49] Ryo Nojima, Hidenobu Oguri, Hiroaki Kikuchi, HiroshiNakagawa, Koki Hamada, Takao Murakami, and ChiemiWatanabe. How to handle excessively anonymizeddatasets. Journal of Information Processing, 26:477–485, 2018.

[50] Simon Oya, Carmela Troncoso, and Fernando Pérez-González. Back to the drawing board: Revisiting the de-sign of optimal location privacy-preserving mechanisms.In Proceedings of the 2017 ACM SIGSAC Conferenceon Computer and Communications Security (CCS’17),pages 1959–1972, 2017.

[51] Apostolos Pyrgelis, Carmela Troncoso, and Emiliano DeCristofaro. What does the crowd say about you? Evaluat-ing aggregation-based location privacy. Proceedings onPrivacy Enhancing Technologies (PoPETs), 2017(4):76–96, 2017.

[52] Apostolos Pyrgelis, Carmela Troncoso, and Emiliano DeCristofaro. Knock knock, who’s there? membershipinference on aggregate location data. In Proceedingsof the 25th Network and Distributed System SecuritySymposium (NDSS’18), pages 1–15, 2018.

[53] Nicolas Ruiz, Krishnamurty Muralidhar, and JosepDomingo-Ferrer. On the privacy guarantees of syntheticdata: A reassessment from the maximum-knowledgeattacker perspective. In Proceedings of the Interna-tional Conference on Privacy in Statistical Databases(PSD’18), pages 59–74, 2018.

[54] Reza Shokri, Marco Stronati, Congzheng Song, and Vi-taly Shmatikov. Membership inference attacks againstmachine learning models. In Proceedings of the 2017IEEE Symposium on Security and Privacy (S&P’17),pages 3–18, 2017.

[55] Reza Shokri, George Theodorakopoulos, Jean-Yves LeBoudec, and Jean-Pierre Hubaux. Quantifying locationprivacy. In Proceedings of the 2011 IEEE Symposium onSecurity and Privacy (S&P’11), pages 247–262, 2011.

[56] Reza Shokri, George Theodorakopoulos, Carmela Tron-coso, Jean-Pierre Hubaux, and Jean-Yves Le Boudec.Protecting location privacy: Optimal strategy againstlocalization attacks. Proceedings of the 2012 ACMConference on Computer and Communications Security(CCS’12), pages 617–627, 2012.

[57] Geoffrey Smith. On the foundations of quantitativeinformation flow. In Proceedings of the 12th Interna-tional Conference on Foundations of Software Scienceand Computational Structures (FoSSaCS’09), pages 288–302, 2009.

[58] Libo Song, David Kotz, Ravi Jain, and Xiaoning He.Evaluating next-cell predictors with extensive wi-fi mo-bility data. IEEE Transactions on Mobile Computing,5(12):1633–1649, 2006.

[59] Akiyoshi Suzuki, Mayu Iwata, Yuki Arase, TakahiroHara, Xing Xie, and Shojiro Nishio. A user locationanonymization method for location based services in areal environment. In Proceedings of the 18th SIGSPA-TIAL International Conference on Advances in Geo-graphic Information Systems (GIS’10), pages 398–401,2010.

[60] Koh Takeuchi, Ryota Tomioka, Katsuhiko Ishiguro, Ak-isato Kimura, and Hiroshi Sawada. Non-negative multi-ple tensor factorization. In Proceedings of the IEEE 13thInternational Conference on Data Mining (ICDM’13),pages 1199–1204, 2013.

[61] The EU General Data Protection Regulation (GDPR).https://eur-lex.europa.eu/eli/reg/2016/679/oj, 2016.

[62] Yu-Xiang Wang, Stephen E. Fienberg, and Alexander J.Smola. Privacy for free: Posterior sampling and stochas-tic gradient monte carlo. In Proceedings of the 32ndInternational Conference on International Conferenceon Machine Learning (ICML’15), pages 2493–2502,2015.

[63] Yonghui Xiao and Li Xiong. Protecting locations withdifferential privacy under temporal correlations. In Pro-ceedings of the 22nd ACM SIGSAC Conference on Com-puter and Communications Security (CCS’15), pages1298–1309, 2015.

[64] Dingqi Yang, Bingqing Qu, Jie Yang, and PhilippeCudre-Mauroux. Revisiting user mobility and socialrelationships in LBSNs: A hypergraph embedding ap-proach. In Proceedings of the 2019 World Wide WebConference (WWW’19), pages 2147–2157, 2019.

[65] Mao Ye, Dong Shou, Wang-Chien Lee, Peifeng Yin,and Krzysztof Janowicz. On the semantic annotation ofplaces in location-based social networks. In Proceedingsof the 17th ACM SIGKDD International Conferenceon Knowledge Discovery and Data Mining (KDD’11),pages 520–528, 2011.

[66] Samuel Yeom, Irene Giacomelli, Matt Fredrikson, andSomesh Jha. Privacy risk in machine learning: Ana-lyzing the connection to overfitting. In Proceedings

17

of the 2018 IEEE 31st Computer Security FoundationsSymposium (CSF’18), pages 268–282, 2018.

[67] Tun-Hao You, Wen-Chih Peng, and Wang-Chien Lee.Protecting moving trajectories with dummies. In Pro-ceedings of the 2007 International Conference on Mo-bile Data Management (MDM’07), pages 278–282,2007.

[68] Yu Zheng, Lizhu Zhang, Xing Xie, and Wei-Ying Ma.Mining interesting locations and travel sequences fromGPS trajectories. In Proceedings of the 18th Interna-tional Conference on World Wide Web (WWW’09), pages791–800, 2009.

A Privacy of Our Synthesizer

Experimental Set-up. To evaluate the privacy of our loca-tion synthesizer, we used the SNS-based people flow data [46](Tokyo) and processed the data in the same way as [43]. Therewere |X |= 400 regions and |U|= 500 training users (see [43]for details). We generated synthetic traces using our proposedsynthesizer (Proposal) with z = 16 and τ = 1. We generatedsynthetic traces of virtual users of the same number as thetraining users (m = |U|). For each virtual user, we generatedone synthetic trace with a length of ten days.

For comparison, we also generated the same amount of syn-thetic traces using PPMTF. Since we used a relatively smalldataset (|U|= 500) in this experiment, we also evaluated thesynthetic location traces generator in [9] (SGLT). We used theSGLT tool in [8]. We set the number c to semantic clustersto c = 50 or 100 because they provided the best performance.We set the other parameters in the same way as [43].

For utility, we evaluated TP-TV-Top50 and TM-EMD in Sec-tion 4. We did not evaluate VF-TV, a utility measure for auto-tagging POI categories, because we used regions rather thanPOIs in this experiment.

For privacy, we considered two privacy attacks: re-identification (or de-anonymization) attack [24, 55] and mem-bership inference attack [27, 54]. For the re-identification at-tack, we evaluated a re-identification rate. For the membershipinference attack, we used the membership advantage [27, 66],the difference between the true positive rate and the falsepositive rate, as a privacy metric. We used the implementationof these attacks in [43] (see [43] for details).

Results. Fig. 15 shows the results. Uniform represents theutility when all locations in synthetic traces are independentlysampled from a uniform distribution. Real represents theutility of the testing traces.

Fig. 15 shows that Proposal achieves almost the same re-identification rate as a random guess (= 0.002). This is be-cause Proposal independently and randomly generates eachvirtual user from a distribution of user profiles. In other words,

TP

-TV

-Top

50

0.1

Re-identification Rate

0.125

0.15

0.175

0.2

0 0.05 0.1 0.15 0.2 0.25

ProposalPPMTF

SGLT (c=50)SGLT (c=100)

UniformReal

TP

-TV

-Top

50

0.1

Membership Advantage

0.125

0.15

0.175

0.2

0 0.1 0.2 0.3 0.4 0.5

TM

-EM

D

0

Re-identification Rate

2

4

5

7

0 0.05 0.1 0.15 0.2 0.25

6

3

1

Membership Advantage0.1 0.2 0.3 0.4 0.5

TM

-EM

D

0

2

4

5

7

6

3

1

Figure 15: Privacy and utility of each location synthesizer.Lower is better in all metrics.

the virtual users are different from the training users, i.e., di-versity. Fig. 15 also shows that Proposal achieves almost thesame membership advantage as PPMTF. Note that TM-EMDof Proposal is worse than that of SGLT because Proposalmodifies the transition matrix via the Metropolis-Hastingsalgorithm. However, TM-EMD of Proposal is still much lowerthan that of Uniform, which means that Proposal preserves thetransition matrix well.

In summary, our experimental results show that Proposalachieves the same re-identification rate as a random guess,and also has security against membership inference attacks inthe same way as PPMTF.

B Details on Sample Algorithms

We developed two sample algorithms for re-identification(VisitProb-R, HomeProb-R) and two algorithms for trace in-ference (VisitProb-T, HomeProb-T).

VisitProb-R. VisitProb-R re-identifies traces based on a visitprobability vector. Specifically, it first trains a visit-probabilityvector, which is composed of the probability for each region,for each user by using reference traces. For an element withzero probability, it assigns a very small positive value δ (=10−8) to guarantee that the likelihood never becomes zero.

Then it re-identifies each trace as follows. It computes thelikelihood (the product of the likelihood for each region) foreach user. For generalized regions, we average the likelihoodover generalized regions. For deletion, we do not update thelikelihood. After computing the likelihood for each user, it out-puts a user ID with the highest likelihood as an identificationresult.

HomeProb-R. HomeProb-R re-identifies traces based on thefact that a user tends to be at her home region between 8:00and 9:00. It is a simple modification of VisitProb-R to use onlyregions between 8:00 and 9:00.

18

x1 x1 x4

x1 x2 x4

x2 x4 x4

User ID: 1

User ID: 2

User ID: 3

Time 1 2 4

Original Traces

x2

x4

x4

3 x1 x2 x4x3

2 1 � 1

� 1 � 3

Visit Count Vectors

User ID: 1

User ID: 2

User ID: 3

x2 x3 x3

x2 x3 x4

User ID: 4

User ID: 5

x3

x3 � 1 � 1

User ID: 4

User ID: 5

1 1 � 2

� 1 � 0

Cluster 1

Cluster 2

x1 x2 x4x3

1 1 � 2

Average Visit Count Vectors

Cluster 1 Cluster 2 0 1 ��� 0.5

x1 x2 x4x3

Figure 16: Clusters of visit count vectors.

VisitProb-T. VisitProb-T first re-identifies traces usingVisitProb-R. Here it does not choose an already re-identifieduser to avoid duplication of user IDs. Then it de-obfuscatesthe original regions for each re-identified trace. For pertur-bation, it outputs the noisy location as is. For generalization,it randomly chooses a region from generalized regions. Fordeletion, it randomly chooses a region from all regions.

HomeProb-T. HomeProb-T is a simple modification ofVisitProb-T to use HomeProb-R for re-identification.

C Best Anonymization Algorithm

Below we briefly explain the winner anonymization algorithmthat achieved the highest trace inference privacy score s(t)T,min.The source code is also published in [2].

The winner anonymization team is from a company. Theage range is 20s to 30s. The team members have participatedin past PWS Cups. They are also a certified business operatorof anonymization.

The winner algorithm consists of three steps: (i) clusteringusers based on visit count vectors, (ii) adding noise to regionsso that visit count vectors are as similar as possible withinthe same cluster, and (iii) replacing each hospital region withanother nearby hospital region. The first and second stepsaim at preventing re-identification based on visit probabilityvectors. In addition, the amount of noise in step (ii) is smallbecause the visit count vectors are similar within the clusterfrom the beginning. The third step aims at preventing theinference of sensitive hospital regions. The amount of noisein step (iii) is also small because the selected hospital regionis close to the original hospital region.

Specifically, in step (i), it clusters users based on visit countvectors using the k-means clustering algorithm, where thenumber k of clusters is k = 100. In step (ii), it calculates theaverage visit count vector within each cluster and adds noiseto regions of each trace to move its visit count vector close tothe average visit count vector. Steps (ii) and (iii) are performedunder the constraint of the utility requirement (utility score≥ 0.7). Fig. 16 shows a simple example of the clusters (k = 2)and the average visit count vectors.

0 0 0 0 0

0 0.099 0.121 0.099 0

0 0.121 0.20 0.121 0

0 0.099 1.121 0.099 0

0 0 0 0 0

x21 x22 x23 x24 x25

x16 x17 x18 x19 x20

x11 x12 x13 x14 x15

x6 x7 x8 x9 x10

x1 x2 x3 x4 x5

Fuzzy Counting ( , )

0 0 0 0 0

0 0 0 0 0

0 0 1 0 0

0 0 0 0 0

0 0 0 0 0

Raw Counting

Figure 17: Fuzzy counting (η0 = 0.2, λ0 = 0.5). In this ex-ample, the target region is x13. The raw counting techniquesimply counts the target region. The fuzzy counting techniqueincreases counts for surrounding regions, e.g., count for x8 by0.121.

D Best Attack Algorithms

Below we explain attack algorithms for re-identification andtrace inference developed by a team that won 1st place inre-identification (i.e., the best re-identification award) and 3rdplace in trace inference. The source code is also publishedin [2]. Although a team who won 1st place in trace inferenceis different, we omit its algorithm because the sum of privacyscores against the other teams is similar between the 1st to4th teams.

The winner attack team is from a company. The age rangeis 40s. The team members have also participated in past PWSCups.

Re-identification. The winner re-identification algorithmuses a fuzzy counting technique as a basic strategy. Whengenerating a visit count vector for each user from her referencetrace, this technique counts each region in the reference trace(referred to as a target region) and its surrounding regionsfuzzily. The fuzzy count for each region is determined by anexponential decay function h(d) = ηoe−λ0d , where η0 andλ0 are constants and d is the Euclidean distance from thetarget region. The Euclidean distance is normalized so thatthe distance between two neighbor regions is 1. Fig. 17 showsan example of the fuzzy counting when η0 = 0.2 and λ0 = 0.5.

From each visit count vector, it generates a term fre-quency–inverse document frequency (TF-IDF) style featurevector to weigh unpopular regions more than popular re-gions. Specifically, let γi, j ∈ R≥0 be a count of region xi inuser u j’s trace, and ξi ∈ Z≥0 be the number of users whosetrace includes region xi (ξi ≤ m = 2000). Then it calculatesthe i-th element of a feature vector of user u j by TF · IDF,where (TF, IDF) = (γi, j, log m

ξi), (γi, j,1), (log(1+ m

ξi), log m

ξi),

or (log(1+ mξi),1). Based on the feature vectors, it finds a user

ID for each pseudonym via the 1-nearest neighbor search.Optimal values of η0, λ0, and (TF, IDF) were determined

using sample trace data published to all teams before thecontest. The optimal values were as follows: η0 = 0.33, λ0 =1, and (TF, IDF) = (log(1+ m

ξi),1).

Trace Inference. The trace inference algorithm of this teamfirst re-identifies traces using the re-identification algorithmexplained above. Then it de-obfuscates the original regions

19

Table 2: Standard deviation (SD) of the minimum privacyscores s(t)R,min and s(t)T,min for the 17 teams calculated by thesample anonymization and attack algorithms (NO: No Obfus-cation).

NO MRLH(1,1,0.5) RR(1) PL(1,1)

s(t)R,min 0.0095 0.0068 0.00055 0.0026

s(t)T,min 0.011 0.0033 0.00015 0.0010

for each re-identified trace in a similar way to VisitProb-T withan additional technique – replacing frequent regions. Fromreference traces, this technique calculates the most frequentregion for each user and each time instant from 8:00 to 18:00(there are 20 regions for each user and each time instant). Ifthe frequency exceeds a threshold (determined by experimentsusing the sample trace data), it regards the region as frequent.Finally, it replaces a region with the frequent region (if any)for each user and each time instant in the inferred traces.

E Fairness in Our Contest

We evaluated the variance of privacy scores as follows. Weanonymized the original traces of the 17 teams using NoObfuscation, MRLH(1,1,0.5), RR(1), or PL(1,1). Then we ap-plied all the sample attack algorithms to the anonymizedtraces and evaluated the standard deviation (SD) of the pri-vacy scores s(t)R,min and s(t)T,min.

Table 2 shows the results. The SD is the largest when wedo not apply any obfuscation algorithms (No Obfuscation), inwhich case the SD is about 0.01.

Table 2 and Fig. 14 show that for re-identification, the stan-dard deviation (= 0.01) is much smaller than the differencebetween the best privacy score (= 0.79) and the second-bestprivacy score (= 0.67). Thus, it is highly unlikely that thedifference of the original traces changes the order of the 1stand 2nd places. For trace inference, the best, second-best, andthird-best privacy scores are 0.720, 0.709, and 0.637, respec-tively. Thus, it is highly unlikely that the difference of theoriginal traces changes the order of the 2nd and 3rd places.

F Utility in Our Contest

Finally, we evaluated various types of utility for the validanonymized traces of the 17 teams.

Anonymized traces are useful for POI recommendation[38] in the intermediate model and geo-data analysis, as de-scribed in Section 5.2. For POI recommendation, we consid-ered the following service. Suppose that a user is interestedin POIs within the radius of r1 km from each location in heroriginal trace (referred to as nearby POIs). To recommendthe nearby POIs, the LBS provider sends all POIs within theradius of r2 km from each location in the anonymized traceto the user through the intermediate server. Then the client

Figure 18: Box-plots of 17 points (utility values of the 17teams). The number in the square bracket represents the aver-age utility score s(t)U . The red line represents the median. Thevariance is very small for PL, Uniform, and Reference becausethe same obfuscation method is used for all of the originaltraces. Higher is better for POI Accuracy. Lower is better forthe others.

application makes a recommendation of POIs based on thereceived POIs. Note that the client application knows the orig-inal locations. Therefore, it can filter the received POIs, i.e.,exclude POIs outside of the radius of r1 from the originallocations. Thus, r2 can be set to be larger than r1 to increasethe accuracy at the expense of higher communication cost [3].

We extracted POIs in the “food” category from the SNS-based people flow data [46] (4692 POIs in total). We setr1 = 1 km and r2 = 2 km. Then we evaluated the proportionof nearby POIs included in the received POIs to the totalnumber of nearby POIs, and averaged it over all locationsin the original traces (denoted by POI Accuracy). We alsoevaluated TP-TV-Top50 and TM-EMD as utility measures inthe geo-data analysis.

Fig. 18 shows the box-plots of 17 points (utility values ofthe 17 teams) for each utility metric, where 17 Teams repre-sents the valid anonymized traces submitted by the 17 teams.We also evaluated PL(4,1), PL(1,1), and PL(0.1,1) appliedto the original traces of the 17 teams. Uniform is the utilitywhen all locations in the anonymized traces are independentlysampled from a uniform distribution. Reference is the utilitywhen the reference traces are used as anonymized traces.

Fig. 18 shows that 17 Teams and PL(4,1) (both of whichsatisfy s(t)U > 0.7) provide very high utility for POI Accuracy(the median is 0.9 or more). This is because the POI recom-mendation task explained above requires each location in theanonymized trace to be close to the corresponding location inthe original trace to some extent. Since the utility score in ourcontest is based on this requirement, it is inherently suitablefor POI recommendation based on anonymized traces.

Fig. 18 also shows that 17 Teams and PL(4,1) providealmost the same performance as Reference for TP-TV-Top50and TM-EMD, which means that statistical information is alsowell preserved when s(t)U > 0.7. Therefore, our utility scorecan be used as a simple guideline to achieve high utility ingeo-data analysis.

In summary, our utility score is suitable for both POI rec-

20

ommendation and geo-data analysis.

21